A recent ‘Dharma’ campaign by Iran-linked ‘script kiddies’ reveals that the ransomware is not just being spread by sophisticated, state-sponsored players.
A group of ‘script kiddies’ tied to Iran are targeting companies worldwide with internet-facing Remote Desktop Protocol (RDP) ports & weak credentials in order to infect them with Dharma ransomware.
The Dharma malware (also known as Crysis) has been distributed as a ‘ransomware-as-a-service’ (RaaS) model since at least 2016. While the ransomware was previously used by advance persistent threat (APT) actors, its source code appeared in March 2020, making it available to a wider number of attackers.
This is the case with this latest Iran-linked threat group, which researchers explain is ‘unsophisticated’, & has been targeting companies across Russia, Japan, China & India with the ransomware since Jun.
“The fact Dharma source code has been made widely available led to the increase in the number of operators deploying it,” Oleg Skulkin, Senior Digital Forensics Specialist with Group-IB, said in an analysis of the attacks posted Mon.
“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage & sabotage. Despite that these cyber-criminals use quite common tactics, techniques & procedures they have been quite effective.”
The threat players are unsophisticated because they use publicly available tools both to obtain initial access & move laterally, rather than using custom malware or post-exploitation frameworks, Group-IB Senior DFIR Analyst Oleg Skulkin observed.
“The threat actors use Persian language for Google searches on compromised servers & download tools from Iran-linked Telegram groups,” Skulkin explained.
“In addition, Group-IB experts saw the threat actors’ attempt to brute-force accounts on an Iranian video streaming service.”
Attackers in this campaign 1st would scan ranges of IPs for hosts that contained these vulnerable RDP ports & weak credentials, researchers suggested. They used scanning software called Masscan (previously used by bad players like Fxmsp).
Brute Force Application
As vulnerable hosts were identified, the attackers deployed a well-known RDP brute force application called NLBrute, which has been sold on forums for years. Using this tool, they were able to ‘brute-force’ into the system, & then check the validity of obtained credentials on other accessible network hosts.
In some attacks, attackers also attempted to increase privileges using an exploit for an elevation privilege flaw. This medium-severe defect, (CVE-2017-0213), which hits Windows systems, can be exploited when an attacker runs a special application.
After compromise, “interestingly, the threat-players likely didn’t have a clear plan on what to do with the compromised networks,” mentioned researchers, which reveals the lack of sophistication. In their attacks, attackers would download various publicly available tools to spy, or move ‘laterally’ across the network.
To scan for accessible hosts in the compromised network, they used publicly available tool Advanced Port Scanner. Other tools were downloaded by attackers from Farsi-language Telegram channels, researchers commented.
“For instance, to disable built-in antivirus software, the attackers used Defender Control & Your Uninstaller,” outlined researchers. “The latter was downloaded from Iranian software sharing website — the Google search query in Farsi, the Persian language “دانلود نرم افزار youre unistaller” was discovered in the Chrome artifacts.”
Attackers would then move ‘laterally’ through the network, & deploy the Dharma variant executable, encrypt data, & leave the target a ransom note. Researchers commented that hackers typically demanded a ransom between 1 to 5 BTC (worth between $12,000 to $59,000).
Researchers observed, however, that the precise number of victims in this campaign is not known, the discovered forensic artifacts revealed that the threat players in this campaign are “far behind the level of sophistication of big league Iranian APTs.”
“The newly discovered hacker group suggests that Iran, which has been known as a ‘cradle’ of state-sponsored APT groups for years, now also accommodates financially motivated cyber-criminals,” according to Group-IB researchers.
Also, part of this change may be linked to the pandemic exposing a number of vulnerable hosts, with so many employees working remotely, & making an extremely popular attack vector for cyber-criminals. Thus, the default RDP port 3389 should be closed if not used, they suggested.
“As the attackers usually need several attempts to brute force passwords & gain access to the RDP, it is important to enable account lockout policies by limiting the number of failed log-in attempts per user,” concluded researchers.